Fixes, Limitations, and Known Issues

This chapter covers the status of key issues and limitations at release.

Key Fixes

Key Fixes in AM 7.0.1
  • OPENAM-16935: Logout issue after logging into AM with 'Remember my username' selected with iOS 14.0.1

  • OPENAM-16934: sm.getSchemaManager has a typo including a comma

  • OPENAM-16907: Kerberos Node in 7.0 does not work

  • OPENAM-16877: Error when creating AM "Self-service Trees" service in native admin ui

  • OPENAM-16848: Choice Collector and WDSSO node combination does not work if whitelisting is enabled

  • OPENAM-16847: AM email service failing with 'Start TLS' option

  • OPENAM-16838: AuthenticationApproachChecker does not handle session upgrade modules

  • OPENAM-16823: IDM Nodes does not send or propagate transactionId tracking when contacting IDM

  • OPENAM-16802: Upgrade from OpenAM 7.0 to 7.1.0 SNAPSHOT causes NPE

  • OPENAM-16794: Google KMS options missing after upgrade from 6.5

  • OPENAM-16791: AMAccessAuditEventBuilder#forRequest can generate an entry with :-1 for the port

  • OPENAM-16769: Enabling Auto-federation when User Profile is Dynamic on SP causes SP to hang during SAML flow

  • OPENAM-16759: Amster on windows : AM does not restart properly after setup

  • OPENAM-16758: Cannot install AM 7 on Windows

  • OPENAM-16745: client_id in access token ignores what's been registered when idm cache is disabled

  • OPENAM-16703: OAuth2 Access token obtained from refresh token is certificate-bound regardless of "Certificate-Bound Access Tokens" configuration (when client_secret_basic used for credentials)

  • OPENAM-16702: Saving engine configuration in FBC mode makes that config non-readable

  • OPENAM-16701: The authorize endpoint with a service parameter will cause the parameter to appear as a PAP claim in the agent's ID token

  • OPENAM-16697: Case mismatch for realm (when using legacy realm identifier format) on well-known endpoint results in issuer with incorrect path format

  • OPENAM-16686: Cannot create a User after upgrade from 6.5.2 to 7.0.1

  • OPENAM-16684: OIDC Dynamic Registration client_description cannot take String type

  • OPENAM-16669: IdentityGateway Agent entry missing attribute required to support org.forgerock.openam.agent.TokenRestrictionResolver#getAgentInfo

  • OPENAM-16650: Authz Policy Subjects Policy.title is showing property name text

  • OPENAM-16641: OAuth2 provider supported grant types attribute missing localization property on XUI

  • OPENAM-16606: Missing "org.forgerock.openam.saml2.authenticatorlookup.skewAllowance" property in server defaults

  • OPENAM-16594: ssoadm help should be updated to reflect changes in AME-18650 / OPENAM-16155

  • OPENAM-16583: Crucial information is missing when encountering LDAP connections issue.

  • OPENAM-16555: (audit) logging does not tell which policy allowed or denied a resource request

  • OPENAM-16551: Scalar String in OAuth2 Access Token Modification Script result in Unable to Obtain Access Token

  • OPENAM-16545: Upgrade to AM 7.0.0 can cause problems with properties being overriden for some web agents

  • OPENAM-16485: 'Failed Login URL' is not picked up from the auth chain

  • OPENAM-16483: XUI - Typo in SAML SP "Default Relay State Url" label

  • OPENAM-16368: Settings of Mail and Scripting global service properties are overwritten at upgrade

  • OPENAM-16367: OIDC request_uri response causes NPE while debug logging

  • OPENAM-16354: Concurrency bug in OAuth2ProviderSettingsFactory

  • OPENAM-16338: Failing REQUISITE module after SUFFICIENT Device Match doesn't fail chain properly

  • OPENAM-16157: Session Property Whitelist Service allows case variant Property Names but DS is not case sensitive

  • OPENAM-16152: After upgrade, new Identity page has duplicate 'new identity' field and email address does not save

  • OPENAM-16006: Device Code Grant does not work with Implied Consent as Authorization is not approved even after consented

  • OPENAM-15671: LoginContext is missing debug logging for troubleshooting

  • OPENAM-15663: UserInfoClaims is not part of public API

  • OPENAM-14682: Microsoft Social Auth fails when creating an Microsoft account (Legacy OAuth2)

  • OPENAM-14527: Microsoft Social Auth does not work with latest MS endpoints (Legacy OAuth2)

  • OPENAM-11706: Policies in a policy set are not visible in Internet Explorer IE

Key Fixes in AM 7
  • OPENAM-16433: Audit Logging change of behaviour when capturing "principals" and "userid" data for each authentication entry.

  • OPENAM-16425: AM does not handle malformed/incorrect signature correctly

  • OPENAM-16402: The passwordpolicy.allowDiagnosticMessage should be applicable to admin and selfservice password change.

  • OPENAM-16379: URL fragments like # cause forbidden login in the XUI

  • OPENAM-16284: XUI does not handle Special Chars / UTF-8 in realms properly.

  • OPENAM-16279: AgentsRepo cannot recover when it fails especially on external Application store.

  • OPENAM-16251: OIDC authentication request with parameters 'prompt=none' and 'acr_values=' triggers authentication

  • OPENAM-16240: REST STS under subrealm cannot generate id_token with realm claim

  • OPENAM-16233: Policy evaluation fails when subject not found (even in ignore profile)

  • OPENAM-16214: Push Authentication Module does not work on Session Upgrade when User Cache disabled

  • OPENAM-16184: Zero Page Login Collector does not work with UTF-8 base 64 encoded usernames and passwords

  • OPENAM-16165: social authmodule causes NullPointerException

  • OPENAM-16164: social authmodule fails if OIDC provider uses algorithm RS256 to sign Id Token

  • OPENAM-16136: queryFilter only matches against first entry in array

  • OPENAM-16132: When TtlSupport is enabled, Stateless OAuth2 Refresh token and JWT whitelist fails on synchroniseExpiryDates

  • OPENAM-16032: Unable to delete devices with Recovery Code Collector Decision Node

  • OPENAM-16031: Intermittent error message when concurrent obtain SSO Token ID with session quota constraints

  • OPENAM-16014: An invalid user passed to any WebAuthn node throws NPE and breaks the Tree flow

  • OPENAM-16013: Mismatched kid from Json Web Key URI when Specified Encryption Algorithm

  • OPENAM-16009: Windows Desktop SSO node full adoption and compliance with tree node specifications

  • OPENAM-15989: OAuth2 client_id should be url-decoded when using basic auth

  • OPENAM-15982: OIDC - JWT Request Parameter returns errors in query, not in the fragment when consent is denied

  • OPENAM-15970: Access Token introspect Fails in subrealm after root realm modified

  • OPENAM-15944: WS-Federation - RPSignin Request fails because config data is used unchecked

  • OPENAM-15905: Login failure with Post Authentication Plugin on timed out Authentication session throws NullPointerException

  • OPENAM-15900: Kerberos fails when used with IBM JDK

  • OPENAM-15896: WS-Federation relying party initiated passive request - stuck at Account Realm selection

  • OPENAM-15881: Custom AM User (amUser.xml) field does not use default values from the schema

  • OPENAM-15858: Auth Tree fails before 'Max Authentication Time' is reached if authentication session state management scheme CTS is used

  • OPENAM-15853: External UMA store fails on resource creation

  • OPENAM-15805: idtokeninfo endpoint gives invalid signature error when ID Token is expired

  • OPENAM-15785: OIDC spec violation - HTTP POST can not be used to send Authentication Request

  • OPENAM-15784: Form elements in policy environment condition tab are displayed twice

  • OPENAM-15766: LoginState - account lockout is checkout although AM AccountLockout is disabled

  • OPENAM-15758: KeyStore Secret Store fails to start due to secretId having some characters.

  • OPENAM-15750: ERROR: OAuth2Monitor: Unable to increment "oauth2.grant" metric for unknown grant type BACK_CHANNEL

  • OPENAM-15724: SAML2 entities do not set amlbcookie if there is only one server

  • OPENAM-15713: AM SP drop the 80 characters RelayState silently for HTTP Redirect

  • OPENAM-15698: IdP-initiated SSO fails with error 'Error processing AuthnRequest. IDP Session is NULL'

  • OPENAM-15697: Default ACR values from OAuth2 provider not taken into account

  • OPENAM-15694: RestSTSServiceHttpRouteProvider causes memory leak by adding route for every access

  • OPENAM-15679: The option "com.sun.am.ldap.connnection.idle.seconds" has a misspelling

  • OPENAM-15670: DeviceIdSave auth module initialization fails if username is null

  • OPENAM-15667: AM debug log does not tell which auth-module was handled - needed for troubleshooting

  • OPENAM-15645: The &refresh=true|false parameter for _action=validate is not working as expected

  • OPENAM-15632: OAuth2 Refresh token lifetime with -1 (never expires) cannot work with CTS TTL support

  • OPENAM-15628: Grant-Set Storage Scheme for CTS does not work with CIBA Flow

  • OPENAM-15627: Switching CTS Storage Scheme to "Grant-set" fails with stateless refresh-tokens created with "One-To-One"

  • OPENAM-15579: AM cookies are not set after successful SP-initiated SSO flow if SP Adapter calls 'response.sendRedirect(String)'

  • OPENAM-15559: OATH module broken in Japanese locale

  • OPENAM-15533: WS-Federation doesn't work with Authentication Trees

  • OPENAM-15530: OAuth2/OIDC - Resource Owner Password flow with a public client creates an AM session in CTS

  • OPENAM-15520: XUI Localisation Falls Back To AM-Default "EN" Instead Of Language-Default

  • OPENAM-15508: moduleMessageEnabledInPasswordGrant does not apply to Trees

  • OPENAM-15507: 500 error when calling /revoke or /refresh endpoint with wrong token

  • OPENAM-15501: Xml encryption 1.1 namespaces aren't always mapped to prefixes correctly

  • OPENAM-15494: AM expects nonce request parameter in authorize request when no id_token will be returned

  • OPENAM-15491: Self service password reset returns 500 Internal Server Error, when new password rejected by datastore password policies.

  • OPENAM-15489: WebAuthN Auth Node Doesn't Respect UV=Discouraged During AuthN

  • OPENAM-15465: Sending HTTP Callback from Inner Tree Evaluator Fails Authentication

  • OPENAM-15459: When Encrypted Attributes on SP is set only with AutoFederation enabled, the attributes get decryption error

  • OPENAM-15425: OIDC endsession - encrypted id_tokens are not supported

  • OPENAM-15374: OpenID Client authentication with private_key_jwt and client_secret_jwt does not enforce required jti claims

  • OPENAM-15355: PageNode with multiple InputNodes without value throws Unsupported InputOnlyPasswordCallback

  • OPENAM-15349: Access Token request returns a 500 error

  • OPENAM-15345: at_hash value generated does not take the latest modified access token

  • OPENAM-15323: ROPC with tree throws "Internal Server Error (500)" when user credentials are incorrect using AuthTree

  • OPENAM-15307: Trees Example is not working as expected OOTB to ?service=Example

  • OPENAM-15303: Claims with multiple values in issued_token from REST STS represented inconsistently.

  • OPENAM-15244: AM configuration does not perform schema extension for identity store although it has the permissions

  • OPENAM-15210: Authentication nodes that is assigned AuthType values may not work in Session Upgrade case with custom modules

  • OPENAM-15164: CDSSO with "ignore profile" throws "No OpenID Connect provider"

  • OPENAM-15160: LDAP Decision Node throws NPE when custom ldap server returns LDAP code 50 on bind

  • OPENAM-15150: Upgrade fails when there is a bad Token Signing ECDSA public/private key pair alias field

  • OPENAM-15147: HTTP 500 upon accessing openam/json/

  • OPENAM-15145: OpenAM Scope Validator calls getUserInfo twice when creating IdToken

  • OPENAM-15121: Persistent Cookie Auth Tree does not work after the second relogin ( with browser closed )

  • OPENAM-15117: KeyVault KeyStoreType not supported

  • OPENAM-15116: Auth ID jwt can be modified to determine whether a realm exists or not

  • OPENAM-15105: Unable to get trusted devices using REST API

  • OPENAM-15101: Remove the ability to disable XUI

  • OPENAM-15089: SAML SLO - Allow RelayState to be a path-relative URL

  • OPENAM-15076: webAuthn config does not allow for multiple origins under the same rpId

  • OPENAM-15044: OpenID connect id_token bearer Module Unable to obtain SSO Token due to OpenIDResolver Caching

  • OPENAM-15036: Cannot view/manage SAML IdP entity in console, imported from schema compliant meta data file

  • OPENAM-15028: Cannot load metadata in ssoadm without extended metadata

  • OPENAM-15012: OIDC - JWT Request Parameter returns errors in query, not in the fragment

  • OPENAM-14995: IdP Initiated single logout only performs local logout if IdP session cannot be found in cache

  • OPENAM-14991: Changes to boot.json are overwritten

  • OPENAM-14979: NPE in UtilProxySAMLAuthenticatorLookup if there is a failure to find cached oldSession in sessionUpgrade

  • OPENAM-14977: PKCE Code challenge method for Authorization Code if not set should use plain

  • OPENAM-14966: Performing access_token with arbitrary text as trusted cert header causes server error

  • OPENAM-14919: Unncessary 'Unable to parse packet received from RADIUS client' log entries in log file

  • OPENAM-14901: XUI - SAML2 module doesn't redirect to IDP if it's 2nd in the chain

  • OPENAM-14895: user identity creation fails with "Identity ***" of type user not found.

  • OPENAM-14893: XUI displays multiple error messages when an authentication session times out

  • OPENAM-14889: Upgrade of Peristent Cookie auth module fails

  • OPENAM-14883: OAuth2/OIDC - Issuing client secret to Public clients during registration

  • OPENAM-14881: AM Proxied authorization feature on DataStore does not work with locked or expired DJ accounts for password change (gives errorcode=123)

  • OPENAM-14867: AuthType is not set for Authentication Tree (AnyKnownUserAuthzModule fails in AuthTree)

  • OPENAM-14859: ROPC throws "Internal Server Error (500)" when 'Password Grant authentication service' is empty

  • OPENAM-14858: When NameIDPolicy does not contain `Format=..`, remoteEntityID is passed as null

  • OPENAM-14848: Insufficient debug logging in OpenID Connect authentication module

  • OPENAM-14845: user info endpoint does not correctly handle Certificate Bound Access Tokens

  • OPENAM-14829: AuthSchemeCondition doesn't return realm aware policy condition advice

  • OPENAM-14825: OAuth2 Dynamic Registration with Software Statement triggers objectClass=* search

  • OPENAM-14804: Memory leak when running UMA RPT soak test

  • OPENAM-14799: Unable to update Agent profile using REST

  • OPENAM-14794: User privileges are removed from group if another group is given same privilege

  • OPENAM-14786: idpSingleLogoutPOST throws error 500 IllegalStateException on SLO

  • OPENAM-14783: PKCS11 KeyStore does not work on IBM JVM

  • OPENAM-14782: AuthTree created Session does not use per User Session Service settings

  • OPENAM-14766: introspect and tokeninfo endpoints return Internal Server Error 500 in some invalid tokens

  • OPENAM-14717: mailto attribute have space between ':' and mail address

  • OPENAM-14694: Consent page still shows claim values even when supported claim description is omitted

  • OPENAM-14651: OAuth2 GrantSet E-Tag Assertion Failures due to Stale Reads

  • OPENAM-14581: handling ManageNameID fails if NameID does not include SPNameQualifier

  • OPENAM-14578: WDSSO failing but no fallback...

  • OPENAM-14573: amlbcookie is not secure when authenticating with trees

  • OPENAM-14572: prompt=login destroys and creates new session

  • OPENAM-14570: OAuth mTLS DN comparison fails when DER-encoding is different

  • OPENAM-14548: consent page still shows what's been granted/removed as a result of OAuth2 scope policy evaluation

  • OPENAM-14546: SSOADM access not audited to the ssoadm.access logs anymore

  • OPENAM-14539: SAML SLO with multi protocols

  • OPENAM-14529: UMA RPT expiry time incorrect in CTS

  • OPENAM-14523: NullPointerException in IdP-initiated ManageNameIDRequest using SOAP Binding

  • OPENAM-14503: SAML2 - Key Transport Algorithm - RSA OAEP must be supported

  • OPENAM-14483: If there is no token, then landing on the AM login page will result in 2 getSessionInfo Requests = 401 UnAuthZ

  • OPENAM-14480: AuthLoginException is lost

  • OPENAM-14471: Failed to create root realm for data store (External Policy | Application)

  • OPENAM-14465: SAML2 Artifact binding fails on multi-instance / multiserver IDP setup with SAML2 Failover on

  • OPENAM-14464: XUI sends the following message "Loading custom partial "${partialPath}" failed. Falling back to default." to the browser console when a custom theme is used

  • OPENAM-14450: userinfo typo in Claims.java

  • OPENAM-14426: Unable to add external data store in AM (Policy | Application) when using TLS/SSL

  • OPENAM-14419: Policy evaluation returns search results for all policies that match outside of specified application

  • OPENAM-14393: CTS Operation Fails Entry Already Exists logged for SAML2 Authentication is done

  • OPENAM-14391: Self Service Link not Display when Using Authentication Tree

  • OPENAM-14378: 'Set Persistent Cookie' node sets domain cookies in only one domain despite multiple Cookie Domains set

  • OPENAM-14369: Upgrading from OpenAM 13.5.0 with custom PAPs causes NPE failure

  • OPENAM-14362: UMA load test fails with Invalid resource type error

  • OPENAM-14353: Error Message not Displayed when Change Password does not Meet Password Policy

  • OPENAM-14337: Fail gracefully when request OIDC token using "Pairwise" Subject Type and no Redirection URI is configured in client

  • OPENAM-14313: Audit Logging - STS transformations create duplicate entries

  • OPENAM-14310: CheckSession page indicates the session is not valid

  • OPENAM-14294: am-external Git repository 6.5 have bad source

  • OPENAM-14281: IdP Proxy relays wrong AuthnContextClassRef

  • OPENAM-14239: FMSigProvider.verify NPE with null input for certificates

  • OPENAM-14233: updated_at claim in the ID Token is returned as a string and not a number

  • OPENAM-14232: Performance issue when creating resource_set in UMA with many existing resource_set

  • OPENAM-14229: custom AuthorizeTemplate under theme not used

  • OPENAM-14213: Cannot view SAML SP entity imported with missing AuthnRequestsSigned attribute

  • OPENAM-14212: SAML redirect to login page fails if AM installed into the root context

  • OPENAM-14200: Social auth modules do not work when AM is installed into the root context

  • OPENAM-14189: effectiveRange of Time environment has issue

  • OPENAM-14175: CTS updates on multivalue attributes may throws Duplicate values exception

  • OPENAM-14174: AM shows Ldapter.delete exception when session expires is triggered

  • OPENAM-14167: HTML tags are shown part of the messages in Change Password section of AD Authentication module.

  • OPENAM-14147: arg=newsession in XUI just shows the "Loading..." page

  • OPENAM-14115: Sample Auth module does not work in a chain when used with Shared-state

  • OPENAM-14112: Using client-based sessions when acting as SP can lead to an out-of-date client-based session cookie

  • OPENAM-14111: Refresh Token flow not enabled on OAuth2 Client can still use Refresh Token flow

  • OPENAM-14062: Redirect to Failure URL does not occur when authentication tree is not interactive

  • OPENAM-14054: XUI Custom templates and Partials not applied consistently

  • OPENAM-14053: Cannot build openam-ui in Windows for Yarn using mvn

  • OPENAM-14040: LdifUtils debug logging prints out wrong classname

  • OPENAM-14018: Radius Authentication Module Primary and Secondary Radius Server help button shows server:port when it should be server

  • OPENAM-13999: Custom node containing ConfirmationCallbacks fails when dropped in a page node.

  • OPENAM-13991: 'issuer' value in .well-known/openid-configuration response is incorrect for a sub-realm

  • OPENAM-13978: Session Upgrade - AuthLevel format changes

  • OPENAM-13942: SAML2 Circle of Trust - REST Update doesn't update the metadata of the provider

  • OPENAM-13934: saml2error.jsp fails with exception when malformed SAML2 response given

  • OPENAM-13900: OAuth2 Device flow - duplicate user_code error after authenticating user

  • OPENAM-13892: Erroneous "Response's InResponseTo attribute is not valid error "SAML2 failover is enabled" when it is not

  • OPENAM-13890: Install.log logs AMLDAPUSERPASSWD for unprivileged demo user in plaintext

  • OPENAM-13851: Rest STS cannot be created in the Console when upgrading to 6

  • OPENAM-13831: RP-Initiated Logout does not handle state parameter

  • OPENAM-13779: Session API - _action=refresh requires an admin token

  • OPENAM-13764: Monitoring logs in ERROR for "Agent.configAgentsOnly:agent type = OAuth2Client"

  • OPENAM-13720: Public API method LDAPUtils.convertToLDAPURLs can not handle IPv6 literals

  • OPENAM-13490: Software Publisher Agent - Secret is not saved when creating an Agent

  • OPENAM-13465: Dynamic client registration sets wrong subjectType

  • OPENAM-13446: Social Auth Service doesn't redirect if already using another chain

  • OPENAM-13419: LDAPPolicyFilterCondition doesn't set request timeout

  • OPENAM-13324: /users/{user}/devices/trusted REST queryFilter expression does not work and acts as "true"

  • OPENAM-13064: OAuth2 - SAML v.2.0 Bearer Assertion Grant - SubjectConfirmationData element should be optional

  • OPENAM-13000: Custom authentication module with a single ChoiceCallback value is processed without confirmation

  • OPENAM-12955: Resource Owner Password Credentials Grant does not work with trees

  • OPENAM-12759: max_age should a number, not a string

  • OPENAM-12574: SAML2Utils.sendRequestToOrigServer throws NullPointerException on processing Cookies

  • OPENAM-12498: Authorization Grant response returns scope(s) in the URL

  • OPENAM-12228: WebAgent REST API queryFilter expression does not work and acts all "true"

  • OPENAM-12186: Introspect endpoint for RPT does not check the authorization scheme

  • OPENAM-11921: Incorrect NameId Format offered for SAML2 auth module in console

  • OPENAM-11863: CORSFilter position in web.xml should come before most filters

  • OPENAM-11778: Getting accessToken using authorization_code result in Unhandled exception

  • OPENAM-11338: OpenID Connect id_token bearer auth module mixes up aud, azp during verification

  • OPENAM-10869: SAML2 Authentication module return "Unable to link local user to remote user" ambiguous.

  • OPENAM-10843: When generating an OIDC token through STS a "kid" value is not specified

  • OPENAM-10127: SessionMonitoringStore should only be instantiated when monitoring is enabled

  • OPENAM-9931: Global Session Service - two fields with the exact same name (Redundant 'Global Attributes' setting should be removed)

  • OPENAM-9777: Json Web Key URI in OAuth2 OpenID connect client config pre-populated incorrectly

  • OPENAM-9459: 500 Internal Server Error from changePassword endpoint with AD repo

  • OPENAM-5867: Data Store LDAP server (admin-ordered) list is reordered by OpenAM

Limitations

The following limitations and workarounds apply to this release:

  • Evaluation Installation Limitations

    In some cases, installing AM for evaluation purposes will fail with a message similar to the following if the JDK's default truststore's permissions are 444:

    $JAVA_HOME/lib/security/cacerts (Permission denied), refer to install.log under /usr/share/tomcat/access/var/install.log for more information.

    To work around this issue, locate the truststore that your container is using and change its permissions to 644 before installing AM:

    $ sudo chmod 644 $JAVA_HOME/lib/security/cacerts

    You can change the permissions back as they were originally after installing AM.

  • Identity and Data Store Scaling Limitations

    The connection strings to the data or identity stores are static and not hot-swappable. This means that, if you expand or contract your DS affinity deployment, AM will not detect the change.

    To work around this, either:

    • Manually add or remove the instances from the connection string and restart AM or the container where it runs.

    • Configure a DS proxy in front of the DS instances to distribute data across multiple DS shards, and configure the proxy's URL in the connection string.

  • SAML v2.0 UI Limitations

    The new UI supports SAML v2.0 IDP and SP entities only. After upgrade, entities that do not have IDP or SP roles will be listed, but cannot be inspected or edited using the UI. An error will display in the UI when trying to access these entities.

    Entities containing roles other than IDP and/or SP will only display the IDP and/or SP roles.

  • Web Authentication (WebAuthn) Limitations

    AM 7.0.1 does not support the following functionality as described in the Web Authentication specification:

    Registration
    Authentication

    For more information about Web Authentication, see MFA: Web Authentication (WebAuthn).

  • RADIUS Service Only Supports Commons Audit Logging. The new RADIUS service only supports the new Commons Audit Logging, available in this release. The RADIUS service cannot use the older Logging Service, available in releases prior to OpenAM 13.0.0.

  • Administration Console Access Requires the Realm Admin privilege

    In this version of AM, administrators can use the AM console as follows:

    • Delegated administrators with the Realm Admin privilege can access full AM console functionality within the realms they can administer. In addition, delegated administrators in the Top Level Realm who have this privilege can access AM's global configuration.

    • Administrators with lesser privileges, such as the Policy Admin privilege, can not access the AM administration console.

    • The top-level administrator, such as amAdmin, has access to full AM console functionality in all realms and can access AM's global configuration.

  • Non-String JOSE Header Parameters in JWTs Are Not Supported

    AM ignores the content of non-string JWT header parameters, such as jku and jwe. Configure the public keys/certificates in AM instead, as explained in the relevant sections of the documentation.

  • Different AM Versions Within a Site Are Not Supported

    Do not run different versions of AM together in the same AM site.

  • Use of Special Characters in Policy or Application Creation is Not Supported

    Do not use special characters within policy, application or referral names (for example, "my+referral") using the Policy Editor or REST endpoints as AM returns a 400 Bad Request error. The special characters are: double quotes ("), plus sign (+), command (,), less than (<), equals (=), greater than (>), backslash (\), and null (\u0000). (OPENAM-5262)

  • XACML Policy Import and Export from Different Vendors is Not Supported

    AM can only import XACML 3.0 files that were either created by an AM instance, or that have had minor manual modifications, due to the reuse of some XACML 3.0 parameters for non-standard information.

  • JCEKS Keystore Now Required for User Self-Services

    In OpenAM 13.0.0, the user self-service feature is stateless, which means that the end-user is tracked and replayed by an encrypted and signed JWT token on each AM instance. It also generates key pairs and caches its keys locally on the server instance.

    In a multi-instance deployment behind a load balancer, one server instance with the user self-services enabled will not be able to decrypt the JWT token from the other instance due to the encryption keys being stored locally to its server.

    OpenAM 13.5.0 and later solve this issue by providing a JCEKS keystore that supports asymmetric keys for encryption and symmetric keys for signing. Users who have installed OpenAM 13.0.0 and enabled the user self-service feature will need to run additional steps to configure a JCEKS keystore to get the user self-service feature operating after an upgrade.

    For specific instructions to configure the JCEKS keystore, see "Managing the AM Keystore".

    Note

    This procedure is not necessary for the following users:

    • Users upgrading from versions prior to OpenAM 13.0.0 are not impacted.

    • Users who upgrade from OpenAM 13.0.0 and do not enable the user self-services feature are not impacted.

    • Users who do a clean install of OpenAM 13.5.0 or later are not impacted.

Known Issues

The following important known issues remained open at the time the release became available. For details and information on other issues, see the issue tracker.

Known Issues in AM 7.0.1
Known Issues in AM 7
  • OPENAM-71: SAML2 error handling in HTTP POST and Redirect bindings

  • OPENAM-10427: LDAP connections created by the configurator wizard are never closed

  • OPENAM-10554: AM installation fails if BASE_DIR is different from the path in .openamcfg

  • OPENAM-10696: Login screen does not show mobile users feedback on failure

  • OPENAM-11083: Delegated Admin cannot create Oauth2 Provider in realm

  • OPENAM-11737: http.response.headers not populating in audit logs

  • OPENAM-12207: Created OAuth2 client using curl request with defined scopes breaks the AM UI

  • OPENAM-13513: Call Authentication Tree in a Radius Client

  • OPENAM-13962: Errors during shutdown of AM

  • OPENAM-14207: NullPointerException AM Console if IDPSSODescriptor is missing attribute 'WantAuthnRequestsSigned'

  • OPENAM-14263: Bad title for External Data Stores secondary configuration page

  • OPENAM-14290: Caching issue for 'users' REST endpoint

  • OPENAM-14322: Servers -> Directory Configuration API Can Be Broken With Crafted Payload

  • OPENAM-14343: AM console - localisation issue for algorithms in global Common Federation Configuration

  • OPENAM-14404: Multiple calls being made to session endpoint by XUI when session cookie lost

  • OPENAM-14494: In Firefox the text is cropped inside of the realm's card on Dashboard

  • OPENAM-14499: SAML IdP-initiated SSO without existing SSO Session - value of 'goto' parameter not URLencoded

  • OPENAM-14500: SAML SP-initiated SSO without existing SSO Session - value of 'goto' parameter not URLencoded

  • OPENAM-14576: Configuration LDAP accessed when users endpoint accessed

  • OPENAM-14594: Possible thread-safety issue in OIDC pairwise subject identifiers

  • OPENAM-14602: The API documentation for some Node API is missing methods/fields in 6.5/7

  • OPENAM-14666: XUI - InternalError: "too much recursion" error can appear when Adding/Viewing/Updating realms

  • OPENAM-14755: NullPointerException if auth module callback xml file can not be retrieved by ResourceLookup

  • OPENAM-14834: JWT bearer grant implementation finds trusted JWT issuers by performing an unindexed search

  • OPENAM-14837: Trusted Issuer lookup does not pick up modified issuer values

  • OPENAM-14838: Trusted JWT issuer cache is refreshed inefficiently affecting other lookups

  • OPENAM-14882: OAuth2 do not log scopes while using device code flow

  • OPENAM-14887: TimerPool logs error during AM graceful shutdown

  • OPENAM-14897: Default values for JWKs URI content cache timeout and miss timeout are not set on upgrade

  • OPENAM-15027: React-select-multi component - when press enter on the 'x' of selected entry to delete it triggers the form submission instead

  • OPENAM-15037: React-select-multi component - when press a key to add an entry the previously selected entry remains highlighted

  • OPENAM-15253: Upgrade fails if external data store for Applications and Policies is used

  • OPENAM-15351: During Upgrade Scripts are not updated

  • OPENAM-15534: LDAP connection errors when using DS7 and rest2ldap test

  • OPENAM-15609: CorsService API Descriptor text doesn't match functionality

  • OPENAM-15699: _fields query parameter for API "Action" end point eg _action=refresh does not work as documented

  • OPENAM-15727: JWT minted by oauth2/authorize does not have correct acr claim when an upgraded SSO token is used

  • OPENAM-15791: The /json/groups endpoint is not accessible to the Agents

  • OPENAM-15812: WebAuthN Node for a user with a webauthn profile for another site causes authenticator to complain using wrong security key

  • OPENAM-15860: IdP Init SAML SSO results in two set-cookie: amlbcookie headers in SP Consumer response

  • OPENAM-15861: NullPointerException in CollectionHelper.getServerMapAttrs

  • OPENAM-15879: openam > ui-admin > entire sessions view disappears when querying with asterisk

  • OPENAM-15892: ScriptingSchemaStep clears whitelist customisations on upgrade

  • OPENAM-16068: Annotation based service implementation provides no way to deregister service listeners

  • OPENAM-16076: An auth node config marked @password (type char[]) cannot also be Optional

  • OPENAM-16105: AM Login UI cannot handle self service and SDK authentication callbacks

  • OPENAM-16197: social authmodule does not send activaion email if un-authenticated SMTP server is used

  • OPENAM-16202: Deleting SAML2 entities in console does not remove them from COT

  • OPENAM-16229: Exceptions logged while upgrading to AM7

  • OPENAM-16258: Resource login fails to work to Authenticate to Module instance

  • OPENAM-16261: Node dev guide - CoreWrapper is not supported API

  • OPENAM-16280: German login page translation is not complete

  • OPENAM-16491: SAML Update introduces javascript calls that aren't available in IE8 and below (or IE11 using Enterprise mode)

  • OPENAM-16515: Social auth - insufficient debug logging for troubleshooting

  • OPENAM-16522: Device Save Node failed on Platform environment

  • OPENAM-16539: userinfo endpoint does not return expected user attributes

  • OPENAM-16545: Upgrade to AM 7.0.0 can cause problems with properties being overriden for some web agents

  • OPENAM-16554: misplaced bufferingEnabled checkbox in New Syslog configuration

  • OPENAM-16555: (audit) logging does not tell which policy allowed or denied a resource request

  • OPENAM-16561: OAuth Consent screen does not apply theming

  • OPENAM-16581: SAML No authentication context error with authn module init SSO

Read a different version of :